Enterprises generally desire to provide authorized users with secure access to protected resources in a user-friendly manner throughout a variety of networks, including the Internet. Although providing secure authentication mechanisms reduces the risks of unauthorized access to protected resources, those authentication mechanisms may become barriers to accessing protected resources.
To reduce the costs of user management and to improve interoperability among enterprises, federated computing spaces have been created. A federation is a loosely coupled affiliation of enterprises which adhere to certain standards of interoperability; the federation provides a mechanism for trust among those enterprises with respect to certain computational operations for the users within the federation. For example, a federation partner may act as a user's home domain or identity provider. Other partners within the same federation may rely the user's home domain for primary management of the user's authentication credentials, e.g., accepting a token that is provided by the user's home domain.
However, this federated approach to authentication does not relieve a given federation partner of the necessity of maintaining and managing a local account for a particular user such that the local account contains user-specific information with respect to the given federation partner, thereby allowing the given federated partner to manage accessibility to resources at the given federated partner with respect to that particular user.
Hence, when a user is certified for access to the user's home domain, there still is a need to certify the user in some manner to federated partners; otherwise, the user may discover that resources at the other federated partners are inaccessible, thereby defeating the purpose of the federation.